- LinetteAsked on April 16, 2014 at 08:38 PM
The HIPAA Privacy Rule addresses the saving, accessing and sharing of medical and personal information of any individual, while the HIPAA Security Rule more specifically outlines national security standards to protect health data created, received, maintained or transmitted electronically, also known as electronic protected health information (ePHI).
This includes covered entities (CE), anyone who provides treatment, payment and operations in healthcare, and business associates (BA), anyone with access to patient information and provides support in treatment, payment or operations. Subcontractors, or business associates of business associates, must also be in compliance.
Question: Is JOTFORM in compliance with the HIPAA Privacy Rule?
Context: I am designing the website for a physical therapy company in DC and they need forms on their site "to collect private patient information." This data must be protected and compliant with HIPAA. The head of the company needs assurance that JOTFORM is also compliant with HIPAA.
- CesarAnswered on April 16, 2014 at 11:47 PM
Currently Jotform does not hold an HIPAA Compliance Certificate, nevertheless you can use Jotform in HIPAA Compliant way. More details below:
Our servers already match all criteria since we already do care a lot about the security. However, some features of our application are not HIPAA compliant so if you refrain from using those features, you should be fine.
1. Always use SSL (https) version of JotForm site on your browser. Use "https://www.jotform.com" to login to your account, create your forms, look at your submissions and link to your forms.
2. Edit emails on all forms to make sure no specific information is used on them. We send emails in plain text. So, they are not secure. Only use emails to get alerts to know there is a new submission. Once you receive an email alert, log into the secure JotForm site and then look at the user
3. If you use the Reports feature only do it with password protection. That will both ask for a password, and it will transfer all data over SSL.
4. Same for uploads. They are not password protected.
5. Logout immediate after you are done with the site.
6. Regularly download submissions and then delete them.
Data stored on our servers are not encrypted, but access to our servers is safeguarded. Data transmission from the person who submits their health information to our servers can be done in an encrypted manner, by using the forms securely.
JotForm certainly complies with the technical safeguard section of the HIPAA security rule:
Information systems housing PHI must be protected from intrusion. When information flows over open networks, some form of encryption must be utilized. If closed systems/networks are utilized, existing access controls are considered sufficient and encryption is optional.
All this is described on thread: http://www.jotform.com/answers/4728.
If you have any further concerns, please let us know. Thank you.